arona/PyRIGS
1
0
Fork 0
mirror of https://github.com/nottinghamtec/PyRIGS.git synced 2026-01-23 08:22:15 +00:00
Code Issues Projects Releases Wiki Activity

Escape HTML provided in form - issue #148

Browse Source
This commit is contained in:
David Taylor
2015-07-20 22:02:08 +01:00
parent 30f235be22
commit 9bc932807f
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
RIGS/static/js/interaction.js
View File

@@ -11,6 +11,10 @@ function nl2br (str, is_xhtml) {
return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1'+ breakTag +'$2'); return (str + '').replace(/([^>\r\n]?)(\r\n|\n\r|\r|\n)/g, '$1'+ breakTag +'$2');
} }
function escapeHtml (str) {
return $('<div/>').text(str).html();
}
function updatePrices() { function updatePrices() {
// individual rows // individual rows
var sum = 0; var sum = 0;
@@ -101,8 +105,8 @@ $('body').on('submit', '#item-form', function (e) {
} }
// update the table // update the table
$row = $('#item-' + pk); $row = $('#item-' + pk);
$row.find('.name').html(fields.name); $row.find('.name').html(escapeHtml(fields.name));
$row.find('.description').html(nl2br(fields.description)); $row.find('.description').html(nl2br(escapeHtml(fields.description)));
$row.find('.cost').html(parseFloat(fields.cost).toFixed(2)); $row.find('.cost').html(parseFloat(fields.cost).toFixed(2));
$row.find('.quantity').html(fields.quantity); $row.find('.quantity').html(fields.quantity);